Wednesday, October 27, 2010

The news have been full of articles about the Firesheep addon for Firefox. The addon enables you to listen to newtwork traffic on an open WLAN and also makes it easy to hijack any session, that:

works on unsecured connection (no ssl/https)

relies on session cookie

The sites, which sessions you can highjack with default settings include:

Amazon.com

Dropbox

Enom

Facebook

Flickr

Google

Windows Live

Yahoo

Twitter

You can also add new sites manually.

Some of the sites log you in over secure connection and after the login procedure, will move you to a non secure channel to save bandwith/processor time. So even if your credentials will be secure the sessions will be highjackable.

Possible workarounds are the utilization of a VPN (though the network traffic will still be unencrypted between your VPN endpoint and the service) or an addon, that forces the browser to user only HTTPS -connections to certain sites. An example of such an addon is Force-TLS.